npm - auriga-cli - Versions diffs - 1.20.5 → 1.20.6 - Mend

auriga-cli 1.20.5 → 1.20.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/README.md CHANGED Viewed

@@ -119,7 +119,7 @@ Supports both project and global installation scopes.
 ### Plugins
-Installs selected plugins for Claude Code, Codex, or both. Claude Code uses `claude plugins install` and honors `--scope project|user`; Codex uses `codex plugin marketplace add` and enables selected plugins in `~/.codex/config.toml`.
+Installs selected plugins for Claude Code, Codex, or both. Claude Code uses `claude plugins install` and honors `--scope project|user`; Codex uses `codex plugin marketplace add/upgrade` (the right one is picked by reading `~/.codex/config.toml`) and enables selected plugins in `~/.codex/config.toml`.
 Examples:

package/README.zh-CN.md CHANGED Viewed

@@ -119,7 +119,7 @@ npx auriga-cli
 ### Plugins
-可以把选中的插件安装到 Claude Code、Codex 或两者都装。Claude Code 路径使用 `claude plugins install`，并遵守 `--scope project|user`；Codex 路径使用 `codex plugin marketplace add`，并在 `~/.codex/config.toml` 里启用选中的插件。
+可以把选中的插件安装到 Claude Code、Codex 或两者都装。Claude Code 路径使用 `claude plugins install`，并遵守 `--scope project|user`；Codex 路径根据 `~/.codex/config.toml` 中是否已注册同名 marketplace 自动选择 `codex plugin marketplace add` 或 `upgrade`，并在 `~/.codex/config.toml` 里启用选中的插件。
 示例：

package/dist/catalog.json CHANGED Viewed

@@ -1,5 +1,5 @@
 {
-  "generatedAt": "2026-05-15T04:24:39.164Z",
+  "generatedAt": "2026-05-15T08:06:41.771Z",
   "workflowSkills": [
     {
       "name": "planning-with-files",

package/dist/plugins.js CHANGED Viewed

@@ -422,18 +422,30 @@ function runPostInstallMigration(pluginName, opts, runtimes) {
         migrateLegacyNotifyConfig(opts);
     }
 }
-function codexMarketplaceAddCommand(packageRoot) {
-    if (process.env.DEV === "1") {
-        return `codex plugin marketplace add ${shellQuote(packageRoot)}`;
-    }
-    return "codex plugin marketplace add https://github.com/Ben2pc/auriga-cli.git";
+// Source string Codex CLI records in `~/.codex/config.toml`
+// `[marketplaces.<name>].source` after `marketplace add` succeeds. Used for
+// exact-string compare against the registered marketplace's source to detect
+// same-name-different-source hijack attempts before running `upgrade`.
+function codexLocalMarketplaceSource(packageRoot) {
+    if (process.env.DEV === "1")
+        return packageRoot;
+    return "https://github.com/Ben2pc/auriga-cli.git";
 }
-function codexExternalMarketplaceAddCommand(source) {
+function codexExternalMarketplaceSource(source) {
     // `source` is validated by validateExtraPluginConfigs against
     // MARKETPLACE_SOURCE_RE (alphanumerics + `._/-`) — no shell metachars
-    // can reach this string. URL form deliberately mirrors
-    // codexMarketplaceAddCommand's hardcoded production branch.
-    return `codex plugin marketplace add https://github.com/${source}.git`;
+    // can reach this string.
+    return `https://github.com/${source}.git`;
+}
+function codexMarketplaceAddCommand(packageRoot) {
+    const source = codexLocalMarketplaceSource(packageRoot);
+    // DEV-mode local paths may contain spaces; URLs need no shell quoting.
+    return process.env.DEV === "1"
+        ? `codex plugin marketplace add ${shellQuote(source)}`
+        : `codex plugin marketplace add ${source}`;
+}
+function codexExternalMarketplaceAddCommand(source) {
+    return `codex plugin marketplace add ${codexExternalMarketplaceSource(source)}`;
 }
 function codexMarketplaceUpgradeCommand(marketplaceName) {
     return `codex plugin marketplace upgrade ${shellQuote(marketplaceName)}`;
@@ -449,13 +461,36 @@ function commandErrorText(error) {
         parts.push(String(withOutput.stderr));
     return parts.join("\n");
 }
-function escapeRegex(value) {
-    return value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
-}
-function isCodexMarketplaceAlreadyAdded(error, marketplaceName) {
-    const text = commandErrorText(error);
-    const marketplacePattern = new RegExp(`marketplace ['"]?${escapeRegex(marketplaceName)}['"]? is already added`, "i");
-    return marketplacePattern.test(text);
+// Codex CLI records every added marketplace as `[marketplaces.<name>]` in
+// `~/.codex/config.toml` with a `source` field. Returns that stored source
+// for an exact-string compare against the source we would `add`, or null
+// when the marketplace isn't registered or the entry is malformed.
+//
+// Why config.toml is the authoritative signal: Codex's `add` command is
+// silently idempotent for an already-added marketplace (exit 0, prints to
+// stdout, no error), so we can't detect already-added by catching an
+// `add` failure. The stored source also lets us guard against same-name
+// hijack — a fork registered under our marketplace name would be invisible
+// to a presence-only check.
+function readCodexMarketplaceSource(marketplaceName) {
+    const configPath = path.join(codexHome(), "config.toml");
+    if (!fs.existsSync(configPath))
+        return null;
+    try {
+        const parsed = parseToml(fs.readFileSync(configPath, "utf-8"));
+        const marketplaces = parsed.marketplaces;
+        if (typeof marketplaces !== "object" || marketplaces === null || Array.isArray(marketplaces)) {
+            return null;
+        }
+        const entry = marketplaces[marketplaceName];
+        if (typeof entry !== "object" || entry === null || Array.isArray(entry))
+            return null;
+        const source = entry.source;
+        return typeof source === "string" ? source : null;
+    }
+    catch {
+        return null;
+    }
 }
 function isCodexMarketplaceDifferentSource(error) {
     return /already added from a different source/i.test(commandErrorText(error));
@@ -616,34 +651,45 @@ function enableCodexPluginConfig(configPath, pluginKeys, needsPluginHooks) {
     const content = minimalContent ?? buildCodexPluginConfigToml(originalContent, configPath, pluginKeys, needsPluginHooks);
     atomicWriteFile(configPath, content.endsWith("\n") ? content : `${content}\n`);
 }
-async function addCodexMarketplaceWithRetry(marketplaceName, addCommand, opts, marketplaceExecOpts, failures) {
+async function addCodexMarketplaceWithRetry(marketplaceName, addCommand, expectedSource, opts, marketplaceExecOpts, failures) {
+    const registeredSource = readCodexMarketplaceSource(marketplaceName);
+    if (registeredSource !== null) {
+        if (registeredSource !== expectedSource) {
+            // Supply-chain guard: a same-name marketplace pointing at a different
+            // source (e.g. a fork URL) must not be silently `upgrade`d — its
+            // content would be cached under our name and consumed downstream.
+            const msg = `Codex marketplace ${marketplaceName} is already added from a different source`;
+            log.error(`${msg}\n  registered: ${registeredSource}\n  expected:   ${expectedSource}`);
+            failures.push(msg);
+            return;
+        }
+        try {
+            exec(codexMarketplaceUpgradeCommand(marketplaceName), marketplaceExecOpts);
+            log.ok(`Codex marketplace ${marketplaceName} upgraded`);
+        }
+        catch (e) {
+            // Surface the underlying upgrade error so a 6-month-out reader
+            // can tell apart ENOENT / network / auth / git failures.
+            log.error(`Failed to upgrade Codex marketplace: ${marketplaceName}\n${commandErrorText(e)}`);
+            failures.push(`codex marketplace ${marketplaceName}`);
+        }
+        return;
+    }
     try {
         exec(addCommand, marketplaceExecOpts);
         log.ok(`Codex marketplace ${marketplaceName} added`);
-        return;
     }
     catch (e) {
         if (isCodexMarketplaceDifferentSource(e)) {
+            // Defense-in-depth: config.toml didn't claim the name but Codex CLI
+            // refused with "different source" — rare divergence between Codex
+            // internal state and config.toml.
             const msg = `Codex marketplace ${marketplaceName} is already added from a different source`;
             log.error(`${msg}\n${commandErrorText(e)}`);
             failures.push(msg);
             return;
         }
-        if (isCodexMarketplaceAlreadyAdded(e, marketplaceName)) {
-            try {
-                exec(codexMarketplaceUpgradeCommand(marketplaceName), marketplaceExecOpts);
-                log.ok(`Codex marketplace ${marketplaceName} upgraded`);
-                return;
-            }
-            catch (upgradeErr) {
-                // Surface the underlying upgrade error so a 6-month-out reader
-                // can tell apart ENOENT / network / auth / git failures.
-                log.error(`Failed to upgrade Codex marketplace: ${marketplaceName}\n${commandErrorText(upgradeErr)}`);
-                failures.push(`codex marketplace ${marketplaceName}`);
-                return;
-            }
-        }
-        // Same: surface the add error rather than masking ENOENT / network / auth.
+        // Surface the add error rather than masking ENOENT / network / auth.
         log.error(`Failed to add Codex marketplace: ${marketplaceName}\n${commandErrorText(e)}`);
         failures.push(`codex marketplace ${marketplaceName}`);
     }
@@ -726,7 +772,7 @@ async function installCodexPlugins(packageRoot, opts) {
         ? { inherit: true }
         : undefined;
     if (localMarketplace) {
-        await addCodexMarketplaceWithRetry(localMarketplace.name, codexMarketplaceAddCommand(packageRoot), opts, marketplaceExecOpts, failures);
+        await addCodexMarketplaceWithRetry(localMarketplace.name, codexMarketplaceAddCommand(packageRoot), codexLocalMarketplaceSource(packageRoot), opts, marketplaceExecOpts, failures);
     }
     // Dedupe external marketplaces by name — multiple plugins from the same
     // upstream share a single `marketplace add` call.
@@ -735,7 +781,7 @@ async function installCodexPlugins(packageRoot, opts) {
         uniqueExternalMarketplaces.set(p.marketplace.name, p.marketplace);
     }
     for (const mp of uniqueExternalMarketplaces.values()) {
-        await addCodexMarketplaceWithRetry(mp.name, codexExternalMarketplaceAddCommand(mp.source), opts, marketplaceExecOpts, failures);
+        await addCodexMarketplaceWithRetry(mp.name, codexExternalMarketplaceAddCommand(mp.source), codexExternalMarketplaceSource(mp.source), opts, marketplaceExecOpts, failures);
     }
     if (failures.length === 0) {
         const localMarketplaceContentRoot = localMarketplace

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "auriga-cli",
-  "version": "1.20.5",
+  "version": "1.20.6",
   "description": "Interactive CLI to install Claude Code harness modules (Workflow, Skills, Recommended Skills, Plugins, Hooks)",
   "license": "MIT",
   "repository": {